Details

Description

I'm using the cxf oauth library as a cross domain, non-cookie way to protect my resource server endpoints. As such, I don't need the user to authorize access to any data. I know this isn't part of the OAuth 2 spec, but it would be very nice if there were a config setting that would skip the user authorization part.

Activity

I also added a snippet of code in my convertScopeToPermissions method of my ImplicitDataProvider object to check the requested scopes against a collection of allowed scopes that I store on a per client basis by overriding the Client object and adding an allowedScopes property.

Although, as I look now at the code, I could probably add scope + "_status" parameters of the allowed scopes prior to the call to super.completeAuthorization(params) and remove the check in convertScopeToPermissions.

Steven Tippetts
added a comment - 03/Dec/12 19:34 I also added a snippet of code in my convertScopeToPermissions method of my ImplicitDataProvider object to check the requested scopes against a collection of allowed scopes that I store on a per client basis by overriding the Client object and adding an allowedScopes property.
Although, as I look now at the code, I could probably add scope + "_status" parameters of the allowed scopes prior to the call to super.completeAuthorization(params) and remove the check in convertScopeToPermissions.

Sergey Beryozkin
added a comment - 04/Dec/12 12:17 Let me also ask - is client acting effectively as the end user ? If it is the same entity then may be it is the client credentials grant which has to be used ?

Sergey, thank you for your feedback. I'm not able to use the client credentials grant because my client is public and I need the implicit flow. However, I can use pre-authorized tokens. Thank you for suggesting that. In order to get the pre-authorized tokens working I need a change to the code. I'll create another issue for that change. This issue can be closed.

Steven Tippetts
added a comment - 04/Dec/12 18:06 Sergey, thank you for your feedback. I'm not able to use the client credentials grant because my client is public and I need the implicit flow. However, I can use pre-authorized tokens. Thank you for suggesting that. In order to get the pre-authorized tokens working I need a change to the code. I'll create another issue for that change. This issue can be closed.